Fortinet black logo

Handbook

Configuring a Global DNS policy

Configuring a Global DNS policy

The Global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches both the source and the destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.

Before you begin, you must have:

  • A good understanding of DNS and knowledge of the DNS deployment in your network.
  • Configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
  • Read-Write permission for Global Load Balance settings.
To configure the global DNS policy rule base:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the Global DNS Policy tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Global DNS policy configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

Global DNS policy configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Source

Select an address object to specify the source match criteria. See Configuring an address group.

Destination

Select an address object to specify the destination match criteria. See Configuring an address group.

Zone List

Select one or more zone configurations to serve DNS requests from matching traffic. See Configuring DNS zones.

DNS64 List

Select one or more DNS64 configurations to use when resolving IPv6 requests. See Configuring DNS64.

Recursion

Enables/disables recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

DNSSEC

Enables/disables DNSSEC.

DNSSEC Validation

Enables/disables DNSSEC validation.

Forward

  • First—The DNS server queries the forwarders list before doing its own DNS lookup.
  • Only—Only queries the forwarders list. Does not perform its own DNS lookups.

Note: The internal server caches the results it learns from the forwarders, which optimizes subsequent lookups.

Forwarders

If the DNS server zone has been configured as a forwarder, select the remote DNS server to which it forwards requests. See Configuring remote DNS servers.

Response Rate Limit

Select a rate limit configuration object. See Configuring the response rate limit.

Reordering

After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.

Configuring a Global DNS policy

The Global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches both the source and the destination criteria is served by the policy. Traffic that does not match any policy is served by the DNS “general settings” configuration.

Before you begin, you must have:

  • A good understanding of DNS and knowledge of the DNS deployment in your network.
  • Configured address objects, remote servers, DNS zones, and optional configuration objects you want to specify in your policy.
  • Read-Write permission for Global Load Balance settings.
To configure the global DNS policy rule base:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the Global DNS Policy tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Global DNS policy configuration.
  5. Save the configuration.
  6. Reorder rules, as necessary.

Global DNS policy configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Source

Select an address object to specify the source match criteria. See Configuring an address group.

Destination

Select an address object to specify the destination match criteria. See Configuring an address group.

Zone List

Select one or more zone configurations to serve DNS requests from matching traffic. See Configuring DNS zones.

DNS64 List

Select one or more DNS64 configurations to use when resolving IPv6 requests. See Configuring DNS64.

Recursion

Enables/disables recursion. If enabled, the DNS server attempts to do all the work required to answer the query. If not enabled, the server returns a referral response when it does not already know the answer.

DNSSEC

Enables/disables DNSSEC.

DNSSEC Validation

Enables/disables DNSSEC validation.

Forward

  • First—The DNS server queries the forwarders list before doing its own DNS lookup.
  • Only—Only queries the forwarders list. Does not perform its own DNS lookups.

Note: The internal server caches the results it learns from the forwarders, which optimizes subsequent lookups.

Forwarders

If the DNS server zone has been configured as a forwarder, select the remote DNS server to which it forwards requests. See Configuring remote DNS servers.

Response Rate Limit

Select a rate limit configuration object. See Configuring the response rate limit.

Reordering

After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.